On Fri, 2021-04-09 at 16:43 +0100, lejeczek wrote: > > > I get what you were saying but I also wondered - when I > > > showed my "primary_conninfo" & pg_hba: why does replication > > > appear to work without the bits you mention and what is the > > > significance of 'clientcert=1' in all this. > > > > Replication works just fine when unencrypted. > > > > "clientcert=1" (in versions before v12) means that the server will > > reject a client connection unless it sends a client certificate that is > > signed by an authority that the server recognizes. > > And by 'recognizes' we would mean the one from 'ssl_ca_file' > which, if true then I still have to wonder why my pgSQLs > were not happy. > My first guess and first question at the same time would be > - could be because how my certs were crafted? > Beyond "regular" certs params, or something "extra" in other > words, I requested my certs to have 'Extended Key Usage' > Thus my certs have both: TLS Web Server Authentication, TLS > Web Client Authentication which I thought is a 'must' since > pgSQL in replication/clusters is both server and the > client.(no? ) This seems to be an SSL question unrelated to PostgreSQL. Perhaps you can use SSL tools like "openssl s_client" and "openssl s_server" to debug this. > > > Does that confirm healthy & encrypted replication? > > > > Compare with the lines in "pg_stat_replication". If the entry with "ssl" = true > > (pid 78705) has the same PID as the entry in "pg_stat_replication", then that > > connection is encrypted, yes. > > I think those match, but what is that 'Record 3' (which has > no match in 'pg_stat_replication', I can guess but I rather > ask) , master-supplier with two standbays is my setup. > -[ RECORD 1 ]-+----------------------- > pid | 108394 > ssl | t > version | TLSv1.3 > cipher | TLS_AES_256_GCM_SHA384 > bits | 256 > compression | f > client_dn |How should I know? > client_serial | > issuer_dn | > -[ RECORD 2 ]-+----------------------- > pid | 108395 > ssl | t > version | TLSv1.3 > cipher | TLS_AES_256_GCM_SHA384 > bits | 256 > compression | f > client_dn | > client_serial | > issuer_dn | > -[ RECORD 3 ]-+----------------------- > pid | 111811 > ssl | f > version | > cipher | > bits | > compression | > client_dn | > client_serial | > issuer_dn | It might well be your own local connection on which you are running the query... Yours, Laurenz Albe -- Cybertec | https://www.cybertec-postgresql.com
